At the recent Black Hat DC 2010 conference , British security expert David Litchfield demonstrated vulnerabilities in Oracle's latest 11gR2 database release. Overgenerous privileges for Java procedures allow users to escalate their own privileges, up to the point of gaining complete control over the database.
This is due to the fact that any user can execute the procedures contained in the DBMS_JVM_EXP_PERMS
package, which is aimed at making it easier to update Oracle installations. In particular, users can use the IMPORT_JVM_PERMS
procedure to change their privileges in the Java policy table so that the JVM allows them to execute operating system commands and to read and write files.
This vulnerability alone does not allow a user lacking the relevant privileges to carry out these operations – this is prevented by Oracle's own system of privileges and roles. A second bug, however, allows users to adapt these privileges as required. The guilty procedure is DBMS_JAVA.SET_OUTPUT_TO_JAVA
. This launches a new Java VM with the privileges of the SYS user and starts by executing any SQL code passed to it with said privileges. Litchfield has demonstrated how, by using appropriate parameters when calling DBMS_JAVA.SET_OUTPUT_TO_JAVA
, an unprivileged user is able to escalate to a fully-privileged DBA user. Thanks to the changes previously made to the Java policy table, he is now able to execute operating system commands. Litchfield illustrated this under Windows 7 by creating a new user to which he then assigned administrator privileges.
He also demonstrated that it is possible to circumvent the database's Label Security, for which Oracle has received EAL4 certification under Common Criteria. Label Security is intended to ensure that users are only able to see information intended for them. He demonstrated that vulnerabilities in the Java implementation allow arbitrary dynamic libraries to be loaded into the Oracle process. This gives them access to data which should be strictly locked down by Label Security.
Litchfield reports that he informed Oracle of the vulnerabilities back in November. No patch has yet been forthcoming. As a workaround, he recommends removing the generous execution privileges of PUBLIC
from the DBMS_JAVA
, DBMS_JAVA_TEST
and DBMS_JVM_EXP_PERMS
packages.
Although video of Litchfield's talk was available from the Black Hat DC 2010 site, The H found that the video has since been removed.